ewido 3.5 - possible false positives?

Discussion in 'other anti-trojan software' started by noobie1kenobi, Jul 6, 2005.

Thread Status:
Not open for further replies.
  1. ewido 3.5 scan reveals:

    c:\program files\grisoft\avg free\avgemc.exe
    Heuristic.Win32.Dialer

    The above file is the email scanner of the grisoft's AVG. So im assuming this must be an fp. Bit surprising others with AVG have not seen this?!?

    c:\program files\isp\aol\comps\coach\aolcinst.exe/data\player\aolnysev.exe
    Heuristic.Win32.Hijacker1

    The above file, is one of those files most pc's have, that come preinstalled with their machine. Its an isp installation file which i have never used, since aol is not my isp. I really should just erase this directory ;)

    I uploaded both files to virustotal & jottis online scanners respectively both reported the files where clean.

    Could someone confirm these are fp's and will be fixed next update?

    Thanks in advance
    noobie1kenobi

    PS
    I have temporarily disabled the avgemc plugin, until i know better!
     
  2. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    The AVG fp has already been fixed, could you please send the "aolcinst.exe" to submit@ewido.net? thx
     
  3. Ok, file submitted :)

    Do you mean AVG FP fixed in todays update?

    Because I downloaded todays update and i am still getting the AVG FP!

    Or do you mean it's fixed for the next update release?

    thx
    noobie1kenobi
     
  4. Chex

    Chex Registered Member

    Joined:
    Apr 4, 2004
    Posts:
    1
    I've had what I think is a false positive called heuristic.Win32.Dialer associated with the AOL 9.0 file called acsd.exe - that's the AOL Connectivity Service. I've sent the file to Ewido, but no reply yet. The following scanners say the file is clean. Pest Control, Ad-Aware, SpyBot S&D, AVG, online Trend Spyware check.

    I have uninstalled AOL and deleted the directory containing the file. After that, Ewido 3.5 runs a clear scan. Then I reinstalled AOL from a clean source and repeated a scan, and Ewido 3.5 says the heuristic.Win32.Dialer is back. If I remove just the file, Ewido will run a clean scan, but AOL will not work. AOL then offers to rebuild the file, and round and round.

    It sure sounds like a false positive to me, but I'll wait until I hear more from Ewido.

    Chex
     
  5. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    It will probably be added tomorrow, i have never had a reply to a submitted file, but they are usually added in the next day or two. :)
     
  6. Well a new sig update for ewido 3.5 was released today. This update does not resolve, either of the false positives, i reported in my earlier post!

    Fish25 you reported the AVG FP had been fixed. But using the latest sigs, i still get the AVG FP that i reported earlier.

    The file i submitted is also still flagged as malware. Then again, i did not expect that to be fixed by the next update.

    However, i expected the AVG fp to be fixed, since fish stated it had!!!!!

    What's going on?

    noobie1kenobi
     
  7. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    What signature files do you have? Have you really got the latest updates? All known false positives (including yours) have been fixed.
     
  8. This is what i've got:
    threats in database: 168.260
    version of database: #1322

    Should i uninstall, reinstall ewido 3.5 then update again?
     
  9. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Strange... Could you perhaps zip the entire ewido folder and send it to support@ewido.net? Many thanks! Also a sample false positive would be nice :)
     
  10. hawkster

    hawkster Guest

    I think i can explain why noobie is still seeing FP's even after an update.

    If you update sigs via manual updates you will see this problem.

    This is because manual updates only contain sig dat files.

    The other important file changes that were made automatically are not downloaded.

    So the heuristic file that was updated in automatic updates, will not be updated in a manual update. So you will still see the FP's even tho you have updated sigs!!

    I found this out while comparing automatic and manual updates!!!

    Noobie, simply resintall and use the automatic updates not the manual updates. Hope this helps.

    IMO manual updates are useless because only sig dats are updated. Other important updated files are not included. So if you have any fp's they won't get fixed by a manual update.

    Is this correct fish?

    hawkster
     
  11. Thanks hawkster.

    Yes, initially i had to do a manual update. Not sure whether it was a server problem or firewall setup but couldn't autoupdate.

    Anyway, i reinstalled ewido and this time autoupdate worked.

    Voila! No more FP's :) :):)

    As for the files updated, your right!

    Several files not updated manually, were updated by the autoupdate. Including a heuristic file, which was probably what was giving me my FP's.

    It seems in a manual update only sigs are updated. Other files updated by the autoprocess are not included in manual updates.

    Which like you said, kind of renders manual updates as useless, unless you couldn't care about the heuristics feature.

    Fish, will ewido be including the relevant updated files, not just the sig dat files, in future manual updates?

    Five non-sig dat files were updated by the autoupdate including sigs but were not done so by a manual update!!!

    If not, people for whatever reason, updating manually will find that they will still get FP's they got before.

    My suggestion in this case is not to use heuristics if you manually update!
    Thanks again :)
    noobie1kenobi
     
  12. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Manual update from inside the program != manual signature update by using the files from our website :)

    The manual update from within the program does the same as the automatic update does.
     
  13. Sorry fish, I wasn't clear.

    What i meant was, I used the updates installer, which i downloaded from the website from the link below.

    http://www.ewido.net/en/download/updates/

    Then ran the installer on my machine. This installer only updated the sig dat files and not any of the other important files needed. Which was why, i was still getting FPs.

    When i did this, with the integrated manual update, the sig files AND the non-sig files were updated.

    Will the installer of sigs, that you download from the above link, include the other updated non-sig files needed in the future?

    Shall i state on here, which files the downloaded installer, does not update?

    These non-sig files need to be included with the sigs in the installer, otherwise its not the same as the integrated manual update.

    Thanks
    noobie
     
  14. racooper

    racooper Registered Member

    Joined:
    Jul 10, 2005
    Posts:
    2
    I just downloaded and tested the new Ewido. I had the following false positives:

    I "ignored" them manually.

    The first is part of pcAnywhere (and was a Heuristic check, obviously).

    The second, nc.exe, is Netcat, a command-line utility for file transfers. "Netcat, dubbed the TCP/IP 'Swiss Army knife', is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol."
     
  15. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Yeah here's my FP's

    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on: 12:22:44 PM, 7/10/2005
    + Report-Checksum: 70E5C8B2

    + Scan result:

    C:\downloads\Games\risk.zip/risk.exe -> Worm.Franvir : Ignored
    C:\Unzipped\Risk\risk.exe -> Worm.Franvir : Ignored


    ::Report End

    I'm going to send these to ewido to make sure they are FP's. From all the other scans I done they seem to be.
     
  16. Mark77

    Mark77 Guest

    I ran a full system scan and it seems to have scanned my 2nd hard drive which has Windows ME on it and it says

    F:\WINDOWS\tmpcpyis.bat is Backdoor.AcidShiver

    That's a detection on Win ME not XP, but I think it is a FP nonetheless. Not sure if it matters to Fish because it was on Win ME. I scanned it with many other scanners and uploaded it to KAV and it was clean.
     
  17. James Taylor

    James Taylor Guest

    Neither PCanywhere nor Netcat should be counted as false positives I think. I personally would appreciate detection of such tools.

    If you use such tools, fine. Just ignore. For most people the presence of such proggies is a big red flag.
     
  18. Swandog46

    Swandog46 Registered Member

    Joined:
    Jul 10, 2005
    Posts:
    1
    For your information, I still can confirm the false positive:

    C:\Program Files\Common Files\AOL\ACS\acsd.exe -> Heuristic.Win32.Dialer : Cleaned with backup

    has not been fixed.

    Thanks for your help, Ewido team!
     
  19. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    It has been fixed, at least the two acsd.exe we got aren't detected anymore. Could you please send us your acsd.exe?
     
  20. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    The most current heuristic.dat is now included in the updatepacks available on our website. :)
     
  21. profhsg

    profhsg Registered Member

    Joined:
    May 18, 2004
    Posts:
    145
    Does the most current heuristic.dat file have to be downloaded seperately or will my automatic updates on Ewido 3.5 Pro automatically download it? If it has to be downloaded separately, could you give us the URL for the download because I'm having a hard time finding it on your site.

    Thanks
     
  22. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Automatic :)
     
  23. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Found 1 possible false positive while did a Complete System Scan with the default settings more scan every file...

     
  24. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    The false positive was fixed... ;)

    Thanks
     
  25. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Yes, they are quite fast in fixing the Heuristic false positives. :)
     
Thread Status:
Not open for further replies.